IBM X-Force: Healthcare Cyberattacks Doubled in 2020

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020.

The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9.

The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial entry point in 33% of attacks, up from 31% in 2019.

2020 was the first year since IBM X-Force started publishing its annual threat index reports that the exploitation of vulnerabilities was more common than phishing as the initial attack vector, which was largely due to the global shift to a distributed workforce in response to the pandemic.

Around 1 in 5 cyberattacks in 2020 involved the exploitation of vulnerabilities in Citrix servers, which were used to support remote workforces. Out of all attacks involving the exploitation of Citrix vulnerabilities, healthcare placed third with 17% of all attacks. Credential theft-related attacks secured third place in the initial attack vector list and accounted for 18% of attacks, down from 29% in 2019.

In healthcare especially, ransomware attacks increased sharply. Overall, 23% of security events in 2020 involved ransomware, up from 20% in 2019. 28% of all cyberattacks on the healthcare industry involved ransomware. These attacks often involved data theft prior to file encryption to pressure victims into paying the ransom to prevent the exposure or sale of stolen data. 59% of ransomware attacks in 2020 involved the use of this double-extortion tactic.

Sodinokibi was used in 22% of all ransomware attacks. The researchers estimate that the Sodinokibi gang generated $123 million in ransom payments in 2020. Other highly active ransomware operations included RagnarLocker, Netwalker, Maze, and Ryuk, which each had a share of 7% of the attacks.

Ransomware was the leading attack type, followed by data theft, and server access. Data theft increased 160% year-over-year, with a large proportion of the attacks due to the Emotet Trojan. Server access increased 233% in the past 12 months, mostly involving the exploitation of vulnerabilities and the use of stolen credentials. Remote Access Trojan (RAT) attacks had a notable increase from 2% of attacks in 2019 to 6% in 2020. Business email compromise attacks decreased in 2020, falling from 14% of attacks in 2019 to 9% in 2020. Insider breaches fell from 6% to 5% of attacks, with misconfigurations unchanged, accounting for 5% of attacks.

The second and third most common types of healthcare cyberattacks were server access and BEC attacks, each accounting for 18% of attacks in 2020. Data theft, insider incidents, and misconfigurations accounted for 9% of attacks each.

The increase in healthcare industry cyberattacks was largely due to the industry being heavily targeted by ransomware gangs and threat actors targeting COVID-19-related research organizations. It could have been far worse for the healthcare industry. Security researchers became aware that the Ryuk ransomware gang was planning a targeted campaign in October that would have seen 400 hospitals attacked. Fortunately, efforts by cybersecurity companies and law enforcement limited the attacks to just 9 out of the 400 hospitals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.